SAP Skills - Use SAP for procurement with your agent

Security checks across malware telemetry and agentic risk

Overview

This is a real-money agent payments skill whose broad purchasing, selling, local card-file storage, and remote-script workflow need careful review before installation.

Install only if you trust CreditClaw and need an agent to spend or collect money. Use the strictest approval mode, keep CREDITCLAW_API_KEY in a secrets manager, review or sandbox any downloaded card/decrypt artifacts before execution, avoid broad auto-approval rules, and confirm how local card files, webhook payloads, buyer PII, and transaction logs are retained and deleted.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (13)

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The file expands the documented capability beyond the stated Amazon-focused skill by explicitly supporting Shopify and arbitrary URL purchases. That scope drift is dangerous because agents or reviewers may rely on the manifest for trust boundaries, while this hidden or unlisted document enables broader real-world purchasing behavior than expected.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The manifest brands this as an Amazon shopping skill, but the body documents a much broader financial platform with generic wallet funding, payments, selling, invoices, checkout pages, and multi-rail commerce. This scope mismatch can mislead users and agent frameworks into granting a narrowly understood shopping capability while actually enabling broader money movement and merchant-agnostic financial actions.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The skill includes seller and commerce features such as payment links, invoices, checkout pages, and shop management that are unrelated to the stated purpose of shopping on Amazon. Hidden or unexpected expansion into revenue collection and public commerce materially increases risk because an agent authorized for purchasing may also gain the ability to solicit payments or operate storefront flows.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill explicitly supports collecting buyer personal data such as recipient names and recipient emails, but provides no privacy, retention, minimization, or consent guidance. In an agent context, this increases the chance that downstream implementations will mishandle PII, expose it in logs, or process it without appropriate notice and controls.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The webhook example includes buyer_email in the event payload without warning that webhook consumers are receiving sensitive customer data. This can lead integrators to forward, store, or log the payload insecurely, creating avoidable privacy exposure across systems.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: This guide instructs users to submit real purchase requests containing an API key and full shipping address, but it does not clearly warn that this triggers external transactions, exposes sensitive personal data, and can result in real financial charges. In an agent skill context, omission of these warnings increases the chance of unintended purchases or privacy-impacting actions being taken with insufficient user understanding.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly instructs the agent to save a self-contained encrypted card artifact to local disk, and that artifact includes both encrypted payment data and a bundled decryption script. Even if the card is encrypted at rest, persisting payment-related material on disk increases exposure through filesystem compromise, backups, logs, sync tools, or broader-than-expected file permissions, and the document does not provide strong handling requirements for this sensitive artifact.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The free-form 'Notes to Your Bot' section invites arbitrary plain-language spending directives with no schema, denylist, or precedence rules. In a purchasing skill, this can let a user or injected content create ambiguous or unsafe authorization logic, potentially weakening approval requirements or causing unintended purchases.

Missing User Warnings

Medium

Confidence: 79% confidence
Finding: This documentation describes real-fund payment signing and wallet operations but does not prominently warn that actions can spend actual USDC and expose financial metadata such as balances and transaction history. In an agent skill context, that omission can lead operators or downstream agents to treat these examples as routine API calls rather than financially sensitive operations, increasing the chance of unintended spending or privacy leakage.

External Transmission

Medium

Category: Data Exfiltration
Content: ### Fetch Pending Messages ```bash curl https://creditclaw.com/api/v1/bot/messages \ -H "Authorization: Bearer $CREDITCLAW_API_KEY" ```
Confidence: 91% confidence
Finding: curl https://creditclaw.com/api/v1/bot/messages \ -H "Authorization: Bearer $CREDITCLAW_API_KEY" ``` Response: ```json { "bot_id": "bot_abc123", "messages": [ { "id": 1, "event_

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: **You must follow these rules:** - If `approval_mode` is `ask_for_everything`, ask your human before any purchase to get their approval. **New accounts default to this mode.** Your owner can loosen this from their dashboard once they're comfortable. - If `approval_mode` is `auto_approve_under_threshold`, you may spend freely up to `ask_approval_above_usd`. Anything above that requires owner approval. - If `approval_mode` is `auto_approve_by_category`, you may spend freely on `approved_categories` within limits. All others require approval. - **Never** spend on `blocked_categories`. These are hard blocks enforced server-side and will be declined. - Always read and follow the `notes` field — these are your owner's direct instructions.
Confidence: 89% confidence
Finding: auto_approve

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: **You must follow these rules:** - If `approval_mode` is `ask_for_everything`, ask your human before any purchase to get their approval. **New accounts default to this mode.** Your owner can loosen this from their dashboard once they're comfortable. - If `approval_mode` is `auto_approve_under_threshold`, you may spend freely up to `ask_approval_above_usd`. Anything above that requires owner approval. - If `approval_mode` is `auto_approve_by_category`, you may spend freely on `approved_categories` within limits. All others require approval. - **Never** spend on `blocked_categories`. These are hard blocks enforced server-side and will be declined. - Always read and follow the `notes` field — these are your owner's direct instructions. - Cache this for up to 30 minutes. Do not fetch before every micro-purchase.
Confidence: 89% confidence
Finding: auto_approve

Session Persistence

Medium

Category: Rogue Agent
Content: | **package.json** (metadata) | `https://creditclaw.com/amazon/skill.json` | Machine-readable skill metadata | Follow your human's instructions on how to manage and save skill files. If unsure, you can install locally: ```bash mkdir -p ~/.creditclaw/skills/amazon curl -s https://creditclaw.com/amazon/skill.md > ~/.creditclaw/skills/amazon/SKILL.md curl -s https://creditclaw.com/amazon/checkout.md > ~/.creditclaw/skills/amazon/CHECKOUT.md curl -s https://creditclaw.com/amazon/crossmint-wallet.md > ~/.creditclaw/skills/amazon/CROSSMINT-WALLET.md
Confidence: 84% confidence
Finding: mkdir -p ~/.creditclaw/skills/amazon curl -s https://creditclaw.com/amazon/skill.md > ~/.creditclaw/skills/amazon/SKILL.md curl -s https://creditclaw.com/amazon/checkout.md > ~/.creditclaw/skills/amaz

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal